AN ENTERPRISE APPROACH IS NEEDED TO
ADDRESS THE SECURITY RISK OF UNPATCHED COMPUTERS

Issued on September 25, 2012

Highlights

Highlights of Report Number: 2012-20-112 to the Internal Revenue
Service Chief Technology Officer.

IMPACT ON TAXPAYERS

Patch
management is an important element in
mitigating the security risks associated with known vulnerabilities. The IRS
has taken some actions to address patch management weaknesses, but an
enterprise approach is needed to fully implement and enforce patch management
policy. Any significant delays in
patching software with critical vulnerabilities provides ample opportunity for
persistent attackers to gain control over the vulnerable computers and get
access to the sensitive data they may contain, including taxpayer data.

WHY TIGTA DID THE AUDIT

This audit was initiated to evaluate the
effectiveness of the IRS security patch management process. The implementation
of effective patch management processes has been an ongoing challenge for the
IRS, with patch issues reported in numerous prior TIGTA and Government
Accountability Office reports. This audit is included in our Fiscal Year 2012
Annual Audit Plan and addresses the major management challenge of Security for
Taxpayer Data and Employees.

WHAT TIGTA FOUND

Although
progress has been made to automate installation and monitoring of patching in a
large segment of its Windows environment, the IRS has not yet implemented key
patch management policies and procedures needed to ensure all IRS systems are
patched timely and operating securely. Specifically, the IRS has not completed
implementation of an accurate and complete inventory of its information
technology assets, which is critical for ensuring that patches are identified
and applied timely for all types of operating systems and software used within
its environment.

In
addition, the IRS needs to improve patch policy and monitoring processes to
ensure patches are applied timely. The IRS also has not implemented controls
to ensure that unsupported operating systems are not putting the IRS at risk.
The IRS needs enterprise-level oversight and leadership to complete the
implementation of its standardized patch management program and to achieve the
benefits of implementing enterprise-wide patching solutions.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the IRS implement
enterprise‑level responsibility to set and enforce IRS patch management
policy, complete deployment of an automated asset discovery tool and build an
accurate and complete inventory of information technology assets, take an
enterprise-wide approach to buying tools to avoid redundancy and excessive
cost, and complete implementation of controls to ensure that unsupported
operating systems are not putting the IRS at risk.

The
IRS agreed with TIGTA’s recommendations and planned appropriate corrective
actions for seven of the eight recommendations. Although the IRS agreed with
the intent of the recommendation to hold system owners accountable for patching
computers within prescribed time frames, it stated that its existing procedures
addressed this recommendation and planned no corrective actions. While TIGTA
believes further actions could have been taken, TIGTA also believes the IRS
will address this issue through other planned corrective actions to update its
patch management policy to provide clear standards for patch installation and
to assign the responsibility to the Cybersecurity organization for ensuring
enterprise-wide compliance with patch management policies.

READ THE FULL REPORT

To view the report, including the scope, methodology,
and full IRS response, go to: